Social Engineering

Cybersecurity Awareness

About Social Engineering

What is Social Engineering ?

Social Engineering is the art of manipulating people into performing actions that lead to

breach of confidential data & give access to personal sensitive information.

Information

Gathering

Development

of

Relationship

Exploiting

Relationship

Execution to

Achieve the

Objective

Collect sensitive information

Identity theft

What are they searching for?

Targeted attacks

Why they Succeed?

Human nature of trust

Lack of information security awareness

Lack of security policy and procedures

Lack of information access rights

Social Engineering

Techniques

Techniques

Vishing

SMiShing

Phishing

Tailgating

Baiting

Shoulder surfing

Dumpster Diving

Social Engineering

Phishing

Phishing

It is a kind of email fraud where the fraudster sends out a legitimate looking email posing as a trusted entity which is designed to extract sensitive information.

94% of malware is delivered

via email

Did You Know?

Source: https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html

Phisher

Bank

Internet Consumer

Phishing: General Phishing

What is it?Email messages claiming to comefrom trusted sources like your bankasking you to verify your account, re-enter your personal information ormake a payment.

Why?To trick you into providing your bankaccount details in order to accessyour bank account then steal yourmoney

How to Avoid?Compare these messages with onesyou already have and call the sourceto re-verify

Phishing: Spear Phishing

What is it?Email messages usually targetinghigher profile people who havevaluable information

Why?Directly targeting you to access yourbank account then steal your moneyor collect sensitive information

How to Avoid?Look out for spelling mistakes andfake URLs

Phishing: Authority Fraud

What is it?Email messages with addressessimilar to that of an authority torequest confidential information orrequest payments within the country.

Why?To trick the victim to provideconfidential information or transfermoney to the cybercriminals

How to Avoid?Double-check suspicious requestswith the authority before providinginformation or sending money

Phishing: Pharming

What is it?Redirecting website traffic throughhacking which may cause users tofind themselves on an illegitimatewebsite without realizing they havebeen redirected to an impostor site,which may look exactly like the realsite.

Why?To intercept and steal sensitiveinformation or online payments

How to Avoid?Check the URL and look for securecertificate

Phishing: ExamplesFake Email Messages

Phishing: ExamplesFake Email Messages

Phishing: ExamplesFake Websites

Example Scam

@

Attacker creates a fake

property ad with

lucrative offer.

The ad is published by

attacker on www.

example.com

User sees a

lucrative ad offer

The user sends email to the mentioned email address

The attacker asks for money to lock down the offer

User sends 2,000.

Social Engineering

Vishing

Vishing

Collecting sensitive information or attempting to influence action via the telephone. To obtain valuable information that could contribute to the direct compromise of the victim or the organization by exploiting peoples’ trust and willingness to help

Vishing news

Source:https://www.infosecurity-magazine.com/news/vishing-attacks-to-become/https://gulfnews.com/business/banking/uae-banking-sector-joins-law-enforcement-agencies-to-fight-fraud-1.70971327https://www.csbj.com/2020/04/10/hackers-exploit-pandemic-to-attack-businesses/

“Hello. This is Alex calling from your telecom provider.

You have a refund due which I would like to remind you

of, but first can you please provide your credit card

number for verification before we proceed ? “

Vishing: Examples Fake Phone call

Social Engineering

SMiShing

SMiShing

Using mobile phone text messages (SMS) to push victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number extract sensitive information or steal money

SMiShing: ExamplesFake SMS

Social Engineering

Baiting

Baiting

With the use of physical media

like a USB or a CD, the attacker

tries to capture the attention of

the victim by giving it a

mysterious label and

deliberately placing it where it

can be easily found (washroom,

elevator etc).

Social Engineering

Tailgating

Tailgating

Physically following someone into a limited access area

Could you please

open the door?

My hands are full..

Social Engineering

Shoulder Surfing

Shoulder Surfing

Shoulder surfing is watching

someone’s login credentials, ID

number, POS terminal PIN, ATM

PIN or any other personal secret

credentials by looking over their

shoulder while they are using it.

Social Engineering

Dumpster Diving

Dumpster DivingIt is a method of stealing personal information by digging through a company’s dumpster or trash

Login:

Password:

john

wombat55

Social Engineering

Protect yourself and your organization

Best Practices

Information Security Awareness Trainings

Build a security-aware culture

Be aware of providing personal information to avoid being a

victim of phishing, Vishing or SMiShing attacks

01

Establish Policies & Procedures to recognize and respond to

social engineering threats02

03

04

Have a proper waste management system to avoid dumpster

diving

Respectfully refuse to lend your identity token / security pass

to avoid tailgaters access the building

Do not use a device on your computer unless it belongs to you

or is given to you for a purpose from a trustworthy person

Review the above steps periodically

If you are an organization, perform unannounced periodic

tests of the network05

06

07

08

09

Questions